Security of httpd (url string exploit?)

January 6, 2013 4.4k views
mattsharpdesign
By:
mattsharpdesign
Hi. Logwatch on my CentOS VPS reported the following: --------------------- httpd Begin ------------------------ A total of 1 sites probed the server 222.73.21.47 A total of 1 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit): /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n HTTP Response 200 ---------------------- httpd End ------------------------- --------------------- pam_unix Begin ------------------------ vsftpd: Unknown Entries: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=92.86.139.111 : 105 Time(s) check pass; user unknown: 105 Time(s) ---------------------- pam_unix End ------------------------- Is this serious? What should I do next? Thanks
Log In to Comment
1 Answer
moisey MOD January 7, 2013
It is quite common to have remote users attempt to exploit any server that is on a public IP address.

If you follow our default setup instructions you should not have any issue with this.

Additionally the /etc/passwd file does not have any hashed passwords which are instead stored in your shadow file.
Reply
Have another answer? Share your knowledge.